Updated admin filter by using admin token and role checks.
Change-Id: Icf61f635debba98dcf5515e543b294441d1bbaaa
diff --git a/full/Changes b/full/Changes
index 807c83e..0a6469c 100644
--- a/full/Changes
+++ b/full/Changes
@@ -5,7 +5,8 @@
- Added foreign keys to the DB tables of access and refresh token scopes.
2022-03-07
- Added more parameter checks and OAuth2Client web-service tests.
-
+2022-03-17
+ - Updated admin filter by using admin token and role checks.
# version 0.65.1
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java b/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java
index 2738a3b..229e303 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/filter/AdminFilter.java
@@ -1,8 +1,8 @@
package de.ids_mannheim.korap.web.filter;
-import java.util.HashMap;
-import java.util.Map;
-
+import javax.servlet.ServletContext;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.springframework.beans.factory.annotation.Autowired;
@@ -11,89 +11,53 @@
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import com.sun.jersey.spi.container.ContainerResponseFilter;
-import com.sun.jersey.spi.container.ResourceFilter;
-import de.ids_mannheim.korap.authentication.AuthenticationManager;
-import de.ids_mannheim.korap.authentication.http.AuthorizationData;
-import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
-import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.constant.AuthenticationMethod;
import de.ids_mannheim.korap.dao.AdminDao;
import de.ids_mannheim.korap.exceptions.KustvaktException;
import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.security.context.KustvaktContext;
import de.ids_mannheim.korap.security.context.TokenContext;
-import de.ids_mannheim.korap.user.User;
import de.ids_mannheim.korap.web.KustvaktResponseHandler;
/**
* @author hanl, margaretha
- * @date 04/2017
*
- * @see AuthenticationFilter
+ * @see {@link AuthenticationFilter}
*/
-@Deprecated
@Component
@Provider
-public class AdminFilter implements ContainerRequestFilter, ResourceFilter {
+public class AdminFilter extends AuthenticationFilter {
+ private @Context ServletContext servletContext;
@Autowired
private AdminDao adminDao;
@Autowired
- private AuthenticationManager authenticationManager;
-
- @Autowired
private KustvaktResponseHandler kustvaktResponseHandler;
- @Autowired
- private HttpAuthorizationHandler authorizationHandler;
-
@Override
- public ContainerRequest filter (ContainerRequest cr) {
- String authorization =
- cr.getHeaderValue(ContainerRequest.AUTHORIZATION);
+ public ContainerRequest filter (ContainerRequest request) {
+ ContainerRequest superRequest = super.filter(request);
- AuthorizationData data;
- try {
- data = authorizationHandler.parseAuthorizationHeaderValue(authorization);
- data = authorizationHandler.parseBasicToken(data);
- }
- catch (KustvaktException e) {
- throw kustvaktResponseHandler.throwit(e);
- }
+ String adminToken = superRequest.getEntity(String.class);
- String host = cr.getHeaderValue(ContainerRequest.HOST);
- String agent = cr.getHeaderValue(ContainerRequest.USER_AGENT);
- Map<String, Object> attributes = new HashMap<>();
- attributes.put(Attributes.HOST, host);
- attributes.put(Attributes.USER_AGENT, agent);
- try {
- // EM: fix me: AuthenticationType based on header value
- User user = authenticationManager.authenticate(AuthenticationMethod.LDAP,
- data.getUsername(), data.getPassword(), attributes);
- if (!adminDao.isAdmin(user.getUsername())) {
- throw new KustvaktException(StatusCodes.AUTHENTICATION_FAILED,
- "Admin authentication failed.");
+ SecurityContext securityContext = superRequest.getSecurityContext();
+ TokenContext tokenContext =
+ (TokenContext) securityContext.getUserPrincipal();
+ String username = tokenContext.getUsername();
+
+ if (adminToken != null && !adminToken.isEmpty()) {
+ // startswith token=
+ adminToken = adminToken.substring(6);
+ if (adminToken.equals(servletContext.getInitParameter("adminToken"))) {
+ return superRequest;
}
- Map<String, Object> properties = cr.getProperties();
- properties.put("user", user);
- }
- catch (KustvaktException e) {
- throw kustvaktResponseHandler.throwit(e);
}
- TokenContext c = new TokenContext();
- c.setUsername(data.getUsername());
- // EM: needs token type custom param in the authorization header
-// c.setTokenType();
- // MH: c.setTokenType(StringUtils.getTokenType(authentication));
- // EM: is this secure? Is token context not sent outside Kustvakt?
- c.setToken(data.getToken());
- c.setHostAddress(host);
- c.setUserAgent(agent);
- cr.setSecurityContext(new KustvaktContext(c));
-
- return cr;
+ if (adminDao.isAdmin(username)) {
+ return superRequest;
+ }
+ throw kustvaktResponseHandler.throwit(new KustvaktException(
+ StatusCodes.AUTHORIZATION_FAILED,
+ "Unauthorized operation for user: " + username, username));
}
@Override